The Life and Death of Passwords: Improving Security With Passwords and People
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.
Today: Jayson E. Street, a self-described “hacker-helper-human,” contemplates bad password advice, investing in human behavior, and why social engineering continues to work.
Investing in passwords, investing in people
Chrysta: You’ve talked about ensuring that people are protected not just by investing in security technology, but also in human behavior and security awareness. Can you elaborate on how people are seen, how users are seen as the problem, and your perspective or how you feel about that?
Humans are not the weakest link in information security. They’re the least invested in for security. If you spent the same amount of money on intrusion detection systems, on firewalls, on IPSS, on cloud perimeter security, if you spent all that money on endpoint, the same amount of money that you spend on just educating your users on what their responsibilities are and how security ties into their job responsibilities, you would be getting breached every single day, every hour of the week via network attacks because you wouldn’t be investing in the network.
If you’re making technology the bulwark of your protection from the user, then it’s always going to fail. Because the user is never going to understand what they are in control of or what they’re in charge of.
A person who has a delivery van, they know exactly what the responsibilities are and what damages they can incur and job penalties they can incur if they are in an accident, if they operate the vehicle unsafely.
But if you’re a person on a computer, you can operate the laptop or the device as unsafely as you want and there’s really not that many repercussions that you’re not really told exactly what the security controls are or your responsibilities on operating that equipment.
What’s some of the worst password advice that you still hear repeated as gospel, either when you’re going to organizations or just when you hear people talking about security between themselves or people in the industry talking between themselves?
I think some of the worst advice that I get from people when I hear users talking about passwords is, one: That every three months, password changing is beneficial. One of the places I worked – and I thought this was a great thing – had a policy where if you actually made a complex password, the more complex it was the less frequently you had to change your password. So it was letting people know, if you pick something complex, you’re good.
And also the fact that people are saying that you have to use special characters and you have to use numbers and you have to use different cases, but they don’t explain that they can use the spacebar. Spacebar changes the whole paradigm because instead of writing a password, you can write a passphrase. You can write a song lyric or a movie quote that you’re very familiar with and change some of the things around with a number or a special character here or there. And that totally changes a minimum eight-character password to a 24, 30-character password because it flows more when you’re typing out something instead of just trying to remember what the special character was at that one place.
“Spacebar changes the whole paradigm, because instead of writing a password you can write a passphrase. You can write a song lyric or a movie quote that you’re very familiar with…”
Don’t fit me into 12 characters. No, I don’t go that way. I need more characters. I am a character that needs more characters.
When attackers target passwords
Chrysta: How have attackers’ methods changed or shifted in focus over the last 10 years? We’ve seen growth in the frequency and scope of these massive password dumps. How has that changed how attackers work?
Jayson: I think one of the biggest things we’re looking at is attackers and criminals going after users through their passwords. They’re sniffing them out, or they’re literally on the system and monitoring how they input their password. They’re grabbing their passwords that way, usually through interactions that an employee has already allowed through a suspicious website, a drive-by attack on a website or a suspicious email link.
Most of the attackers that you’ve seen usually start nowadays with a phishing attack. So [users] click on that, [attackers] have the passwords. These uses are your insider threat by accident, by sometimes good intentions. They’re trying to be good employees and they’re trying to do their job and they’re trying to click on the link that they think that was supposed to help facilitate something for their boss or something of that nature and then they’re now the threat.
So that is another vector that we’re not investing a lot in because we don’t expect people to actually come on-site to commit the crime or to implant the device, but in reality, it’s like:
Jayson - “Well, how much could you lose as a company?”
Company - “Oh, easily with one bad hack, you could get $30,000,000 or $20,000,000.”
Jayson - “And you don’t think that’s worth the roundtrip ticket and a hotel room?”
Company - “Excuse me?”
Because the tools to do it are like a hundred bucks. The tools to actually commit that attack, well, you don’t even have to build the custom stuff, you just go and download the tool or buy the tool online and just plug it in at their network.
Let’s dig in a bit into the perception that phishing happens because of poor decision making or being naturally gullible, not realizing the really sophisticated ways that attackers can short circuit your decision-making capabilities. What are some of the reasons that social engineering continues to work? What are some of the tactics that attackers will leverage to bypass that decision-making process and get people to just instinctively react in the way that they want?
I’ve fallen for a phish. We need to get past this point where we think, “Oh, no one should ever fall for a phish.” No, that thought process is stigmatizing that and saying, “That would never happen to me,” means you’ve never detected it, you never noticed it, so luckily that your technical controls picked that up.
Back in 2007, I believe, the Aurora attack saw Google employees targeted by a nation state. And literally, the nation state compromised 10 of their friends on Facebook because the employees knew to be wary, knew to be careful, knew to be very secure, they had specialized security training. So [the attackers] went after 10 of their friends, and then they had their friends’ compromised accounts send them links and that’s how they got in.
That is the reason why our technology is never always going to be successful, because people don’t have to be stupid to click on a link. They just have to be inattentive or just accepting. It’s emotion. An attacker, a criminal wants you to react emotionally instead of thinking logically. So they are going to do things that will invoke some kind of emotion. They’re going to have it where, "There’s a profit in it for me, there’s information in it for me or there’s something that I need to know or an advantage that I could have that makes me curious that wants to click the link."
"That’s the reason why our technology is never always going to be successful, because people don’t have to be stupid to click on a link. They just have to be inattentive or just accepting. It’s emotion."
And that’s what their whole goal is, is to make it emotional. So that is how you react because they don’t want you thinking it out, they want you reacting to it. So getting a pressured email from your CEO makes you react. Getting a gift card from a gas company will make you react. Getting a $5 coupon off of the restaurant that’s right next to your headquarters for a lunch will make you react.
Advice for upping your password game
Chrysta: For the average person still dealing with passwords, at least for the vast majority of the accounts they use on a daily basis, what tools or best practices do you recommend for every individual?
Jayson: One: Use a password manager and multi-factor authentication whenever you can, especially that.
The second thing, though, is pen and paper. And people are like, “Jayson, you just said they write …” No, never write your password down. I say do it this way: There’s the movie Terminator. It’s like, “I’ll be back, baby.” It’s like 1-L-L, space, B-E, space, B-A-C-K and then “baby,” and then a question mark, then you write down, “Email Terminator.” Because you know what that third piece is. It’s something that you have, something you know, and it’s something you are, which is a movie buff or a favorite song lyric.
The person who sees that list doesn’t know what that list is containing or what it’s for. That’s the obfuscation part, but you know that reminder, “Oh, that’s the lyric I used for this,” and then you just put a number or a special character to show which ones you used and your mind will remember that if you train yourself that way. Because there’s a lot of passwords you’ve got to remember.
Next in our extended interview series: Nick Steele, research lead at Superlunar, weighs in on the weaknesses of password-based systems, the difference between a traditional login versus a passwordless one, and how WebAuthn is driving passwordless efforts forward.